Jeff asked:
hMailserver is an open source Window e-mail server. For incoming e-mail it supports STARTTLS
with the help of OpenSSL 1.1.1.
It allows configuring the cipher suites, the default is:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:
AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
I wanted to disable AES256-GCM-SHA384
but after removing it, the cipher suite was still offered for STARTTLS
(according to test site https://internet.nl)
In the end I had to remove AES128
, AES256
and HIGH
to stop AES256-GCM-SHA384
from appearing on STARTTLS
.
How should I read this OpenSSL configuration setting? On the last line AES128
en AES256
are mentioned standalone. Doesn’t this mean that any cipher with AES128
or AES256
will be allowed making the long list before that quite redundant?
The same goes for the HIGH
, doesn’t that make mentioning a lot of the other cipher suites redundant?
My answer:
You tried to disable a mandatory cipher suite for TLS 1.3, while TLS 1.3 was enabled, thus OpenSSL ignored the request.
If you want to disable this cipher suite, you must also disable TLS 1.3 (which it seems you did by removing HIGH
).
You should not be attempting to do this at all. You should instead ask about whatever problem you had that led to this as a possible solution, so that something reasonable can be found. Unless, of course, you really mean to disable TLS 1.3.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.